Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Greece: HDPA announces publication of decision adopting Coronavirus and data protection guidelines

The Hellenic Data Protection Authority ('HDPA') announced, on 23 November 2020, the publication of its Decision 5/2020 adopting the guidelines on the processing of personal data in the context of the Coronavirus pandemic. In particular, the HDPA noted that in situations of crisis it is important to adopt necessary technical and organisational measures to tackle the crisis while complying with the requirements of Law 4624/2019 Law 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions, as well as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition, the HDPA highlighted that both public and private entities, as data controllers, must be aware of their obligations under data protection law, and outlined that in accordance with Article 5(1) of the GDPR only personal data that is necessary to the purpose of mitigating the risk of spread of Coronavirus should be collected and that processing must be based on a legal basis outlined in Article 6 of the GDPR.

More specifically, and in the context of employment, the HDPA cautioned against relying on consent as a legal basis for processing employee data because of the imbalance of power inherent in employment relationships, highlighting that employers may rely on the legal basis of determining the ability of an employee to work. Furthermore, the HDPA noted that employees are also responsible for reporting to their employers any instances where they may constitute a threat to public health.

With respect to taking the temperatures of visitors, suppliers, and employees, the HDPA stated that such processing must abide by the principles of data minimisation and data security. Lastly, the HDPA noted that taking temperatures upon the entrance in the place of employment should take place only if any other alternative measure is deemed inadequate by the data controller, and that generalised and constant collection of personal data for creating employee health profiles would not be proportional.

You can download the press release here and Decision 5/2020 here, both only available in Greek.